In this edition of Ask the Expert, we speak with Christoph Ratavaara, Information Security Officer at isolutions AG, a leading Microsoft partner in Switzerland, who creates digital work environments that foster creativity, enable smart collaboration and create positive customer experiences. Christoph shares insights on how he uses the ahead intranet to effectively communicate cybersecurity risks, overcome the challenges of internal information security communication and maintain a strong security culture, especially in a remote working environment.
Christoph, could you tell us more about your role at isolutions?
As Information Security Officer at isolutions AG, I am responsible for the information & cyber security of our organization. I am the link between the different areas of IT, security and business. My tasks include the planning & implementation of technical and organizational measures, risk assessments, protection against and handling of threats and incidents as well as one of the most important components: The establishment of a security culture.
What strategies have you implemented to regularly inform employees about cybersecurity risks and best practices?
I use our ahead intranet as a communication channel for short-term and urgent messages to all employees, for example to warn of an impending phishing campaign, as well as for official communication in the event of changes or new policies and guidelines. I also use ahead as the most important basis for our awareness campaigns and for regular security newsletters with various content on the topics of information and cyber security to keep all employees and our experts up to date.
In your opinion, what are the biggest challenges in internal communication on the topic of information security?
One of the most important success factors is people. If all technical measures fail, it is usually the human being who makes the next decision. If they are uninformed, misinformed or unaware of the issue of security and protection, incidents can occur that could have been prevented by simple means. Information security is often an abstract, complex and technical topic. Clear and level-appropriate communication is crucial, but not always easy to achieve. It can be very time-consuming to find the right composition without getting lost in long explanations. As an author, ahead offers me a comprehensive but simple and quick way to use the intranet that allows me to communicate with everyone in a timely and level-appropriate manner. I don't have to struggle with the technology, but can concentrate on the content. The statistics show me how the information is being received and the comment function allows everyone to give feedback and interact directly with my contribution.
Can you describe a case study where you and your team successfully communicated about information security/addressed a security issue?
We have been running a Cybersecurity Awareness Month for two years now, using ahead as the basis. With the campaign function, we can link all posts and events from our awareness campaigns and make them available to employees. We use ahead from the beginning to the end of the campaign, at the start to publicize the Cybersecurity Awareness Month with all events and information, during the campaign month for stories & posts and interaction with employees and at the end with the provision of all content created.
The campaign page of the Cybersecurity Awareness Month campaign
How can internal communication strategies be adapted to maintain a strong security culture among employees working remotely or in the workplace?
With the flood of information we are all exposed to on a daily basis, the topic of information security & awareness needs to be actively addressed time and time again. There should be regular, recurring and recognizable formats within the communication strategy. It is important to critically scrutinize your own communication on a regular basis to ensure that it is appropriate for the level and is also read and taken seriously by employees, otherwise adjustments or new formats need to be developed. Ultimately, a good format doesn't work forever, it also needs variety, interaction and what always helps is when employees can derive a private benefit from something and it doesn't just take place in a professional context. If you have communication and change experts, you should definitely involve them as supporters and critical reviewers.
Activate employees through entertaining, interactive stories during Cybersecurity Awareness Month
What tools or technologies do you use for this purpose?
I use our ahead intranet as the basis for all communication. Other tools I use are Deepl for writing and translating texts and Midjourney as an image generation AI for posts and campaigns.
